Subscribe
- Latest Legal News
- News
- Dealstreet
- Viewpoint
- Columns
- Interviews
- Law School
- Legal Jobs
- हिंदी
- ಕನ್ನಡ
Online gaming has evolved in various forms such as single-player games, team-based games, role-playing games, virtual/augmented reality games and more.
Regardless of the form, online gaming remains popular with a wide audience across age, gender and location. This brings several technology law considerations into focus for gaming companies.
Data lifecycle management for gaming companies encompasses various stages from collection, consent management, processing, and disclosure to deletion and secure disposal.
Processing of sensitive personal data such as passwords and financial information is subject to additional requirements under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) in India.
Where ads are shown by gaming companies, the data that is collected and processed (including the use of data collected by other entities) and the basis on which ads are shown, need to be assessed. Adequate disclosures must be made in the privacy policy (which should be published on the website), and consent practices must be tightened to ensure compliance.
The age when a person is defined and protected as a child differs in different jurisdictions, and the implications of being considered a child may also vary.
When a person is considered a child, their ability to consent to contracts (such as agreeing to the terms of service of an application) and personal data processing need to be evaluated, per jurisdiction.
Special measures need to be adopted to enable verified parental consent, in jurisdictions such as the United States (“US”), European Union (“EU”) and, once India’s Digital Personal Data Protection Act, 2023 (and the rules thereunder; the “DPDP Framework”) come into force, India as well. Under the DPDP Framework, such consent will need to be verified using virtual tokens to which age and identification details are mapped,[The Draft Digital Personal Data Protection Rules, 2025 indicate that this could be done through a digital locker service] or based on identification details provided by the parent to, or available with, the game provider.
Content considered “harmful to children” should not be published, according to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021(“Intermediary Rules”).
International gaming-specific regulations and requirements such as the Age-Appropriate Design Code in the UK and California should be considered as well, requiring the highest level of privacy settings to be adopted by default for children’s accounts, and parental consent for child data processing.
Under the Intermediary Rules, games classified for users above the age of thirteen (13) must ensure that access control mechanisms, including parental locks, are available.
Profiling, tracking and showing ads to children introduces further complexities. This may soon be banned in certain jurisdictions such as India, as well.
Transfer of data (whether to data processors as third-party recipients or international transfers) should be carefully reviewed:
This includes remote access to data and data transfers through Application Programming Interface access. It would also include transfers to processors such as cloud, email integration service providers, etc.
International transfers may require additional safeguards under applicable laws, (such as the adoption of Standard Contractual Clauses under the EU’s General Data Protection Regulation).
In India, disclosure of sensitive personal data or information to any third party requires prior permission from the individual who provided the information.
Once the DPDP Framework comes into force, additional restrictions may apply to the transfers of personal data outside India. Requirements may also arise for data localisation in India.
Data security policies and measures are crucial.
Companies must undertake reasonable security practices which include technical, operational, and physical security control measures.
The DPDP Framework prescribes that users be immediately intimated of any personal data breach. Such communication must be concise and clear, describe the extent and nature of the breach, the consequences of the breach to the user and the safety measures being taken to mitigate any risk.
In case of a data breach or cyber incident, the Indian Computer Emergency Response Team (“CERT-In”) requires bodies corporate to notify CERT-In of such cyber incident or data breach within 6 (six) hours of becoming aware of such incident.
Indian online games/ online gaming intermediaries must be especially mindful of certain additional requirements under the Intermediary Rules:
Online games that allow users to play with money must be verified as permissible by self-regulatory bodies (“SRB”), to ensure that they do not involve wagering. Such permitted games must display a corresponding mark of verification by the SRB on their online real money game. However, the SRBs contemplated under the Intermediary Rules are yet to be formally established, resulting in a regulatory and policy vacuum in the online gaming sector.
Online gaming intermediaries must verify the identities of their users using appropriate mechanisms, such as verifying the active Indian mobile number of such users. Some States have put in place higher thresholds of user identity verification. For example, under the recently notified Tamil Nadu Online Gaming Authority (Real Money Games) Regulations, 2025 (the “TN Regulations”), users are required to undertake know-your-customer verification, while all minors under the age of eighteen (18) are prohibited from playing online real-money games.
Regulations, privacy policies, and user agreements along with the intermediary’s physical contact address must be published on the website or mobile app of the online gaming intermediary. Intermediaries must also publish the name of the grievance officer and their contact details, on their website. Under the TN Regulations, the gaming intermediary is further required to display pop-up caution messages when a user plays continuously for more than one (1) hour, along with providing facilities to fix daily, weekly and monthly monetary limits for each user.
An online gaming intermediary must not offer financing services for the purpose of playing online real-money games.
Intermediaries must also ensure that users do not host any prohibited information.
Dark Patterns must not be engaged. While their deployment may be an easy method to garner revenue or mine data, their usage is illegal in India under the Guidelines for Prevention and Regulation of Dark Patterns, 2023. Inducing false urgency or adding items to baskets of the user without their knowledge are commonly observed examples of dark patterns.
The use of artificial intelligence (“AI”)/machine learning in games (for behavioural prediction, content moderation, etc.) may be subject to AI codes of conduct, the European Union AI Act or other standards, rules or regulations in various jurisdictions.
Designing and executing a gaming business that respects users and their rights, and complies with applicable laws, naturally helps foster customer trust. Having said this, online gaming laws now form a labyrinthine maze encompassing technology law, privacy law, consumer protection law, antitrust law and more. Unravelling the various tangled issues and developing a comprehensive legal strategy is therefore recommended, with assistance from legal experts.
About the authors: Harini Sudersan is a Partner, Bilal Lateefi is a Principal Associate and Varun Rao is an Associate at Poovayya & Co.
Disclaimer: The information provided in this document is solely for general interest and information and is not intended to constitute legal advice and therefore should not be relied upon in any manner. The sending/sharing of this document does not create an attorney-client relationship between Poovayya & Co. and the recipient. For more specific comprehensive and up-to-date information or for legal advice and assistance, you should seek the opinion of legal counsel. Reproduction, distribution and/or republication of this document or the content of this document is prohibited unless you have obtained prior written permission from Poovayya & Co.
Disclaimer: The opinions expressed in this article are those of the author(s). The opinions presented do not necessarily reflect the views of Bar & Bench.
If you would like your Deals, Columns, Press Releases to be published on Bar & Bench, please fill in the form available here.